CVE-2026-44318 - free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes t
CVE-2026-44318 - free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes t
GHSA-27ph-8q4f-h7m7 MEDIUM go/github.com/free5gc/bsf
CVE: CVE-2026-44318
Summary
free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart.
This endpoint requires a valid nbsf-management OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated process-kill DoS.
Details
Validated against the BSF container in the official Docker compose lab.
- Source repo tag:
v4.2.1 - Running Docker image:
free5gc/bsf:v4.2.1 - Docker validation date: 2026-03-22
- BSF endpoint:
http://10.100.200.11:8000
Read side (locked):
func (c *BSFContext) GetSubscription(subId string) (*BsfSubscription, bool) {
c.mutex.RLock()
defer c.mutex.RUnlock()
sub, exists := c.Subscriptions[subId]
return sub, exists
}Unsafe write side in the create-if-absent branch of ReplaceIndividualSubcription (no Lock()):
subscription.SubId = subId
bsfContext.BsfSelf.Subscriptions[subId] = subscriptionUnder concurrent traffic, the Go runtime detects the unsynchronized read/write on c.Subscriptions and aborts the process. Go's concurrent map read and map write fatal is NOT a normal panic -- it is unrecoverable, Gin's recovery middleware does not catch it, and the BSF process terminates.
Code evidence (paths in free5gc/bsf):
- Read side (locked):
- `NFs/bsf/internal
📌 来源: GitHub-Advisory | 🆔 CVE-2026-44318 | 📅 2026-05-08